From: Timo Sirainen <timo.sirainen@dovecot.fi>
Date: Wed, 28 Feb 2018 14:23:07 +0000 (+0200)
Subject: Released v2.3.0.1.
X-Git-Tag: 2.3.0.1^0
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fheads%2Frelease-2.3.0;p=thirdparty%2Fdovecot%2Fcore.git

Released v2.3.0.1.
---

diff --git a/NEWS b/NEWS
index bb798dcb37..298ed163df 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,27 @@
+v2.3.0.1 2018-02-28  Timo Sirainen <tss@iki.fi>
+
+	* CVE-2017-15130: TLS SNI config lookups may lead to excessive
+	  memory usage, causing imap-login/pop3-login VSZ limit to be reached
+	  and the process restarted. This happens only if Dovecot config has
+	  local_name { } or local { } configuration blocks and attacker uses
+	  randomly generated SNI servernames.
+	* CVE-2017-14461: Parsing invalid email addresses may cause a crash or
+	  leak memory contents to attacker. For example, these memory contents
+	  might contain parts of an email from another user if the same imap
+	  process is reused for multiple users. First discovered by Aleksandar
+	  Nikolic of Cisco Talos. Independently also discovered by "flxflndy"
+	  via HackerOne.
+	* CVE-2017-15132: Aborted SASL authentication leaks memory in login
+	  process.
+	* Linux: Core dumping is no longer enabled by default via
+	  PR_SET_DUMPABLE, because this may allow attackers to bypass
+	  chroot/group restrictions. Found by cPanel Security Team. Nowadays
+	  core dumps can be safely enabled by using "sysctl -w
+	  fs.suid_dumpable=2". If the old behaviour is wanted, it can still be
+	  enabled by setting:
+	  import_environment=$import_environment PR_SET_DUMPABLE=1
+	- imap-login with SSL/TLS connections may end up in infinite loop
+
 v2.3.0 2017-12-22  Timo Sirainen <tss@iki.fi>
 
 	* Various setting changes, see https://wiki2.dovecot.org/Upgrading/2.3
diff --git a/configure.ac b/configure.ac
index eb23893875..caef785063 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2,7 +2,7 @@ AC_PREREQ([2.59])
 
 # Be sure to update ABI version also if anything changes that might require
 # recompiling plugins. Most importantly that means if any structs are changed.
-AC_INIT([Dovecot],[2.3.0],[dovecot@dovecot.org])
+AC_INIT([Dovecot],[2.3.0.1],[dovecot@dovecot.org])
 AC_DEFINE_UNQUOTED([DOVECOT_ABI_VERSION], "2.3.ABIv0($PACKAGE_VERSION)", [Dovecot ABI version])
 
 AC_CONFIG_SRCDIR([src])